Fintech startups and banks face off on new rules over European payments and data access

Alexander is a freelance journalist and public policy researcher living in Brussels, Belgium. His work has appeared in Foreign Affairs, EUObserver, VICENews, and elsewhere. Find him on Twitter @ajsaeedy.

Updated

September 25th, 2017.

A large group of over 70 European fintech companies are warning that new EU rules on payments processing could unfairly pit them against large banks and decimate the industry if they are passed into law.

The rules are part of the European Union’s Payment Services Directive (PSD) and would ban the practice of “screen scraping,” a common practice used by fintech companies to “scrape” display data from one application (like an online banking service) and display it on their own.

Usually, fintech startups scrape data by logging into banking applications on behalf of their customers with sensitive data like passwords and PIN codes.

In their manifesto, the 71 fintech firms argue that the ban on scraping is unreasonable and a backdoor method for traditional banks to claw back control as the Fintech revolution threatens to upend their business models.

However, banks are arguing that screen scraping is too dangerous and that customer data should only be accessible through bank-provided application programming interfaces (APIs) in the interest of customer security.

“The customer is in control of what can and cannot be shared with a third party, as the API is consent and permission-driven. Alternative technologies for sharing data exist, but are less robust and less secure than APIs,” said David Song, an EU affairs expert at UK Finance, a representation of over 300 firms providing banking, payments, and financial services in the United Kingdom.

Fintech companies, for their part, say that banks have an incentive to build semi-functional APIs that would tarnish fintech upstarts’ own quality of service and scare customers away from using their products, which at times compete directly with the services that banks offer to their clients.

“If we’re forced to use an API that doesn’t provide a good service, it will kill our business. We’ll have to use a low-quality interface that won’t meet our service needs and will drive customers away,” said Joan Burkovic of Bankin, a French fintech startup that helps customers manage their money and finances via an app that links to their existing bank accounts.

They also argue that a fallback option to screen scraping should necessarily be kept open in case a bank’s API fails.

“Without the fallback option, our business is effectively in the hands of banks. They’ll have full control over all the information they give to us and can even impose restrictions on how they send it. That goes entirely against the spirit of EU rules that guarantee technological neutrality for payments,” said Arturo González Mac Dowell, President & CEO of EuroBits, a payments aggregator headquartered in Spain.

Revised payment services directive

The European Union’s Payment Services Directive (PSD), originally passed in 2007, built a single market for cashless payments in Europe, making cross-border payments as easy and efficient for European consumers and businesses as domestic transfers.

It was revised in 2015 by the European Commission in part to promote more competition and digital innovation within the banking and payments sector.

Most importantly, the revised PSD (also known as PSD2) mandated that banks loosen their grip over customer account data and allow third parties to be able to access it with customers’ permission.

It is no secret that this will present a challenge to retail banks, who will lose their exclusive hold over customer data and be forced to innovate in both payments processing and customer data analytics, where many of their upstart competitors already have a significant lead.

“This presents banks with a challenge. At best, PSD2 puts at risk an important income stream for banks and at worst will relegate them to the status of a utility, acting as simple data holder,” said Jacqui Hatfield, former partner at the law firm Reed Smith, in an editorial for Banking Tech.

However, as is common practice in European financial regulation, a regulatory agency under the Commission’s authority was given the right to draft technical guidelines (such as the rules on screen scraping) that would come into effect after the general framework of the PSD2 was finalized and agreed among lawmakers.

The controversial ban on screen scraping was first tabled by the European Banking Authority, a London-based agency of the European Commission which has regulatory oversight over European banks, in February.

“The EBA is of the view that accessing accounts through screen scraping will no longer be allowed on the basis of a number of provisions under PSD2, especially the requirements on secure communication and on restrictions on [payments providers] in accessing data and information from accounts and transactions,” the agency said in its February proposal.

Banks agree.

“API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easy for consumers to use than typing codes into a form. Breach after breach has made clear that there is no such things as a ‘secure’ or ‘strong’ way to use passwords”, said the FIDO Alliance, an industry consortium of banks and payment services providers like Visa and MasterCard, in an open letter to EU lawmakers at the end of August.

The European Commission, which has final say over the proposed draft rules, has publicly disagreed with the EBA’s position and swooped in from above this summer to propose amendments to the guidelines, allowing for a “fall back” to screen scraping if banks’ APIs failed to provide fintech companies with reliable account data.

But in any case, the final rules will have to be vetted by both the European Parliament and finance ministers in the European Council, who have the right to veto them. It is expected by some that Council representatives from countries without a substantial fintech industry may push for a compromise between the Commission and EBA versions.

Why it matters for fintech startups

PSD2 falls into line with the Juncker Commission’s Digital Single Market strategy from 2014, in which it promised to break down barriers in the provision and sale of digital services and to ensure the free movement of data between consumers and companies in Europe.

The rules on digital payments are also envisaged to help break Europe’s longstanding dependency on bank finance. Many see the over-dominance of banks as an endemic problem to the growth of European capital markets and an important cause of the sovereign debt crises of 2010-2015.

However, the standoff on screen scraping suggests to some that large banks can still throw their weight around in lobbying EU laws aimed at increasing competition in financial services.

“The European Banking Authority has been behaving more like the European Banking Association on PSD2. It’s incredible that they haven’t met with any fintech companies at all to discuss their needs but are regularly taking meetings with banking associations on digital innovation,” said one fintech startup executive who declined to be named for the purposes of the article.

It has also shown that there is no single European rulebook dedicated to FinTech regulation, and is instead managed by a mix of national regulators and a constellation of institutions and agencies at the European level.

“It is striking to observe the large number of institutions currently commenting, regulating, drafting consulting, and exchanging ideas on fintech. There are already overlaps at European level, but more importantly there is already substantial regulatory divergence between EU countries,” wrote a team of three researchers from Brussels think-tank Bruegel for a discussion of EU finance ministers in Estonia this month.

However, it also pointed out that “in the European context, issues such as data privacy, cybersecurity, consumer protection and operational risks will be central importance for consumer acceptance.”

Still, the outstanding question is whether banks’ privacy concerns in the PSD2 are merely a Trojan horse to torpedo a nascent FinTech industry in Europe and to cling to their waning hold over customer account data.

“The bottom line is this: the Payment Services Directive 2 was designed in order to increase competition in the sphere of payments. Putting a ban screen scraping would undermine that principle”, said Nick Wallace of the Centre for Data Innovation.

The first parts of the PSD2 will come into force in all 28 Member States and the European Economic Area in January 2018. The Commission is expected to present its finalized set of rules on screen scraping in October or November, which will come into force 18 months after they are adopted by EU institutions.